Starting with Chrome version 58 and Firefox version 48 using certificates without SAN (SubjectAltName) attribute will cause the “Your connection is not secure” error.
To generate an SSL certificate with SAN attribute, complete the following steps (make sure you have OpenSSL installed in your system):
- Create a Root CA certificate. It will be used to issue other certificates. Fill out the form that appears. When prompted, enter the Common Name that is the fully qualified domain name of your server:
# sudo openssl genrsa -des3 -out /etc/ssl/private/rootCA.key 2048
# sudo openssl req -x509 -new -nodes -key /etc/ssl/private/rootCA.key -sha256 -days 365 -out /etc/ssl/certs/rootCA.pem
- Create the /ext/ssl/v3.ext configuration file with the following content:
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
DNS.1 = mydomain.com
where mydomain.com is the fully qualified domain name of your server.
- Create a self-signed certificate using the configuration file and the root certificate. Fill out the form that appears. When prompted, enter the Common Name that is the fully qualified domain name of your server:
sudo openssl genrsa -out /etc/ssl/private/selfsigned.key 2048
sudo openssl req -new -key /etc/ssl/private/selfsigned.key -out /etc/ssl/certs/selfsigned.csr
sudo openssl x509 -req -in /etc/ssl/certs/selfsigned.csr -CA /etc/ssl/certs/rootCA.pem -CAkey /etc/ssl/private/rootCA.key -CAcreateserial -out /etc/ssl/certs/selfsigned.crt -days 365 -sha256 -extfile /etc/ssl/v3.ext
- Add rootCA.pem to the trusted root certificate list.
- For ELMA365 installation or update the selfsigned.key private key and selfsigned.crt certificate are used on the server.
- If a new certificate is issued, you need to renew the certificates by running the following command:
sudo elma365ctl reload-cert
Self-signed certificates don’t provide reliable data protection against malicious users. We recommend using SSL certificates that are issued from commercial CA as Comodo, Symantec, Thawte, etc.